b'                  U.S. Department of Agriculture\n\n                     Office of Inspector General\n                      Financial & IT Operations\n\n\n\n\n        Audit Report\n\nPurchase Card Management System\n   Controls Need Strengthening\n\n\n\n\n                        Report No. 11099-44-FM\n                                   August 2005\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n\n                                   OFFICE OF INSPECTOR GENERAL\n\n\n                                        Washington D.C. 20250\n\n\nSeptember 2, 2005\n\n\n\nREPLY TO\nATTN OF:      11099-44-FM\n\nTO:           Russ Ashworth\n              Chief\n              Office of Procurement and Policy Management\n\n              Patricia E. Healy\n              Acting Chief Financial Officer\n              Office of the Chief Financial Officer\n\nTHROUGH: Arthur Goldman\n         Audit Liaison Officer\n         Departmental Administration\n\n              Kathy Donaldson\n              Audit Liaison Officer\n              Office of the Chief Financial Officer\n\nFROM:         Robert W. Young             /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Purchase Card Management System Controls Need Strengthening\n\n\nThis report presents the results of our audit of controls over the Purchase Card Management\nSystem (PCMS). The Chief, Office of Procurement and Policy Management (OPPM) and Office\nof the Chief Financial Officer\xe2\x80\x99s response to the official draft, received on July 22, 2005, is\nincluded in its entirety as exhibit A. The Office of Inspector General\xe2\x80\x99s position is incorporated\ninto the findings and recommendations section of the report.\n\nBased on the information contained in the response, we concur with management decision on\nRecommendations 2 and 3 of the report. Although management\xe2\x80\x99s comments concerning the\nremaining recommendations, with the exception of Recommendations 1 and 4, adequately\naddress required corrective action, management did not provide specific dates to complete\nplanned actions. Management\xe2\x80\x99s comments to Recommendation 1 were not adequate because\nOPPM did not agree that it is its responsibility to ensure internal controls are in place and\noperating effectively.\n\x0cRuss Ashworth et al.                                                                       2\n\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days\ndescribing the corrective action taken or planned, including applicable timeframes, on our\nrecommendations. Please note that the regulations require a management decision to be reached\non all findings and recommendations within a maximum of 6 months from report issuance.\n\nWe appreciate the courtesies and cooperation extended to us during the audit.\n\x0cExecutive Summary\nPurchase Card Management System Controls Need Strengthening\n\nResults in Brief   Generally, we found that the transactions reviewed were proper and that the\n                   program met its intent of providing a cost beneficial process for procuring\n                   goods and services within the Department. However certain program\n                   controls could be strengthened to identify improper payments and potentially\n                   fraudulent activities. Specifically, we found that some cardholders failed to\n                   reconcile their transactions in the Purchase Card Management System\n                   (PCMS), the alert system could be made more effective, and policies\n                   governing supervisory oversight needed strengthening. These weaknesses\n                   occurred because there were limited controls in place to ensure that\n                   cardholders reconciled their purchases, oversight personnel indicated that\n                   they were overwhelmed by excessive messages in the alert system, and\n                   limited controls existed within the system to ensure that supervisors reviewed\n                   the appropriateness of cardholder purchases. As a result, potential improper\n                   transactions may not be detected, and agencies are at an increased risk of\n                   monetary losses resulting from undetected fraudulent, wasteful, or abusive\n                   purchase card transactions.\n\n                   The Office of the Chief Financial Officer (OCFO) and the Office of\n                   Procurement and Property Management (OPPM) could implement additional\n                   controls to ensure the integrity and security of the PCMS system and improve\n                   its reliability and effectiveness in preventing potential improper payments.\n                   We found (1) users with unrestricted and unmonitored administrative access\n                   to the PCMS database, (2) password settings did not conform with Federal\n                   requirements, (3) budget object classification codes (BOCC) were not\n                   verified, (4) transactions posted to cancelled cards, (5) incorrect or missing\n                   cardholder data, and (6) unverified lender rebates. OCFO was aware that\n                   many of these weaknesses existed; however, it had not implemented\n                   corrective actions due to other priorities. As a result, the PCMS is at greater\n                   risk of unauthorized access and improper purchases. Further, the Department\n                   may not be receiving the appropriate rebate from the lender in accordance\n                   with its contract. Specifically:\n\n                       \xe2\x80\xa2   We found that 14 users had unrestricted and unmonitored database\n                           administrator privileges to PCMS data, access to PCMS was not\n                           documented, passwords were not encrypted, and password settings\n                           were not configured in accordance with departmental and Federal\n                           guidelines. In addition, the PCMS application did not force users to\n                           change their initial password.\n\n                       \xe2\x80\xa2   PCMS did not enter the appropriate BOCC.\n\n\nUSDA/OIG-11099-44-FM                                                                       Page i\n\x0c                       \xe2\x80\xa2   There was no internal control to prevent a cardholder (whether a\n                           current or separated employee) from making charges on an account\n                           after the account had been cancelled.\n\n                       \xe2\x80\xa2   Purchase cards were not cancelled in a timely manner after the\n                           cardholder separated from the agency. OCFO removed separated\n                           employees\xe2\x80\x99 access to the PCMS application on a monthly basis, but\n                           no prescribed controls existed to ensure that those employees\xe2\x80\x99\n                           purchase cards were cancelled.\n\n                       \xe2\x80\xa2   We identified 126 cardholders whose social security numbers (SSN)\n                           in PCMS were invalid or associated with an incorrect individual.\n\n                       \xe2\x80\xa2   The Department earns a rebate from the lender based on the volume\n                           of purchase card transactions and payments made. In fiscal year\n                           2003, the lender paid the Department over $4.4 million in rebates\n                           related to purchase card transactions. We found that OCFO ensured\n                           that the rebate planned by the lender was actually received, but it had\n                           not independently verified that the lender calculated the rebate\n                           accurately.\n\nRecommendations\nIn Brief           We recommended the following to strengthen internal controls and to prevent\n                   and detect improper payments made under the Purchase Card Program:\n\n                       \xe2\x80\xa2   OPPM should establish controls to enforce its policies to (1) address\n                           alert messages within 30 days of receipt and (2) reconcile and review\n                           purchase card transactions on a monthly basis.\n\n                       \xe2\x80\xa2   OPPM in coordination with OCFO should modify PCMS to (1)\n                           automatically suspend purchase cards that have unreconciled\n                           transactions greater than 60 days and (2) prohibit cardholders from\n                           modifying alert messages for potentially suspicious transactions.\n\n                       \xe2\x80\xa2   OCFO should validate whether database administrator access is\n                           needed for all 14 users we identified to perform their job functions.\n                           Remove or restrict access as needed and establish procedures and\n                           controls limiting future designation.\n\n                       \xe2\x80\xa2   OCFO should modify PCMS and the Security Access Management\n                           System (SAMS), as appropriate, to ensure that user password controls\n                           conform to departmental and Federal guidelines.\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                       Page ii\n\x0c                       \xe2\x80\xa2   OPPM in coordination with OCFO should establish controls to\n                           require users to validate the accuracy of the BOCC for each\n                           transaction.\n\n                       \xe2\x80\xa2   OPPM in coordination with OCFO should modify the PCMS to (1)\n                           reject transactions from the lender associated with cards that have\n                           been cancelled, (2) establish an edit to check the validity of\n                           cardholder\xe2\x80\x99s SSN, (3) direct the lender to cancel a card at the same\n                           time that PCMS drops a cardholder\xe2\x80\x99s system access, and (4)\n                           independently calculate and verify that the appropriate rebate was\n                           received.\n\nAgency Response    OCFO and OPPM generally agreed with the findings and recommendations,\n                   except for Recommendations 1 and 4. With respect to Recommendation 1,\n                   OPPM did not agree that it shared responsibility with the user agencies to\n                   implement adequate effective internal controls to enforce policies to (1)\n                   reconcile transactions and address alert messages in a timely manner and (2)\n                   review transactions on a monthly basis. With respect to Recommendation 4,\n                   management indicated that Oracle does not store pass words in clear text.\n\nOIG Position       We continue to believe that OPPM shares responsibility with user agencies\n                   to help ensure internal controls are in place and operating effectively. The\n                   lack of effective internal controls within PCMS is evidenced by over 1,400\n                   cardholders not reconciling approximately 6,700 transactions totaling over\n                   $3.4 million, within 30 days.\n\n                   We agree that Oracle encrypts passwords; however, PCMS passwords are\n                   stored in clear text in SAMS which is an IBM system used to access the\n                   Oracle based PCMS.\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                   Page iii\n\x0cAbbreviations Used in This Report\n\n\nACFO-FS             Associate Chief Financial Officer-Financial Systems\nAPC                 Agency Program Coordinator\nBOCC                Budget Object Classification Code\nCCB                 Change Control Board\nDR                  Departmental Regulation\nIRMD                Information Resources Management Division\nISSO                Information System Security Office\nLAPC                Local Agency Program Coordinator\nNFC                 National Finance Center\nNIST                National Institute of Standards and Technology\nOCFO                Office of the Chief Financial Officer\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nOPPM                Office of Procurement and Property Management\nPCMS                Purchase Card Management System\nSSN                 Social Security Number\nUSDA                U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-11099-44-FM                                                      Page iv\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report ......................................................................................................iv\n\nBackground and Objectives ................................................................................................................... 1\n\nFindings and Recommendations............................................................................................................ 3\n\n    Section 1. Purchase Card Program Oversight ................................................................................ 3\n\n         Finding 1             Additional Oversight Could Improve Purchase Card Program Effectiveness ........ 3\n                                  Recommendation No. 1.................................................................................... 5\n                                  Recommendation No. 2.................................................................................... 6\n\n    Section 2. Purchase Card Management System Controls .............................................................. 7\n\n         Finding 2             Purchase Card Management System Controls Need Strengthening ....................... 7\n                                   Recommendation No. 3.................................................................................. 10\n                                   Recommendation No. 4.................................................................................. 11\n                                   Recommendation No. 5.................................................................................. 11\n                                   Recommendation No. 6.................................................................................. 12\n\nScope and Methodology........................................................................................................................ 14\n\nExhibit A ................................................................................................................................................ 15\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                                                                              Page v\n\x0cBackground and Objectives\nBackground                           The U.S. Department of Agriculture\xe2\x80\x99s (USDA) Purchase Card Program is\n                                     part of a Government-wide initiative to streamline the Federal agency\n                                     acquisition processes. The program provides agencies with a low-cost and\n                                     efficient vehicle to make small purchases of $2,500 or less directly from\n                                     vendors. Agencies and vendors benefit from the program through lower\n                                     processing costs and reduced complexity from traditional procurement\n                                     methods. In fiscal year 2003, USDA agencies made over $570 million in\n                                     purchases using the Purchase Card Program.\n\n                                     The Purchase Card Program uses a VISA credit card issued by a commercial\n                                     lender, similar to a personal credit card. Purchase cards are marked with the\n                                     United States of America seal and the words \xe2\x80\x9cFor Official U.S. Government\n                                     Purchases Only\xe2\x80\x9d to distinguish them from a personal credit card. Also, some\n                                     cardholders are issued convenience checks tied to the credit account that can\n                                     be used for purchases from merchants that do not accept credit cards. 1\n\n                                     The Purchase Card Management System (PCMS) is an automated\n                                     reconciliation and payment system that assists the users and management in\n                                     monitoring expenses. PCMS is a Windows-based system used to track,\n                                     reconcile, and control purchases made with purchase cards. On a daily basis,\n                                     the lender downloads purchase card transaction data and purchase card\n                                     master data to the Office of the Chief Financial Officer (OCFO). OCFO\n                                     makes payments to the lender for purchases billed according to a scheduled\n                                     billing cycle.\n\n                                     The Office of Procurement and Property Management (OPPM) has overall\n                                     responsibility for managing the USDA Purchase Card Program and\n                                     overseeing the development and maintenance of PCMS. Each agency within\n                                     USDA has an Agency Program Coordinator (APC) who is responsible for the\n                                     overall program in that agency, and acts as the agency\xe2\x80\x99s contact with OPPM\n                                     and the lender. For geographically dispersed agencies, Local Agency\n                                     Program Coordinators (LAPC) are responsible for the day-to-day operations\n                                     of the Purchase Card Program in their designated area. The LAPC is\n                                     appointed by the head of the contracting office, subject to the concurrence of\n                                     the APC. Agency APC and LAPC responsibilities include cardholder\n                                     training, purchase card record maintenance, oversight of purchase card\n                                     transactions, and cancellation or activation of cardholder accounts. Agency\n                                     management determines who in their organizations should receive purchase\n                                     cards and convenience checks and recommends the monthly purchase limits.\n\n\n1\n  As of July 1, 2003, the use of convenience checks was limited in an effort to minimize misuse. Agencies are still permitted to use convenience checks in\ncertain situations.\nUSDA/OIG-11099-44-FM                                                                                                                           Page 1\n\x0c                   Ultimately, cardholders and their supervisors remain responsible for\n                   reviewing purchases to ensure that they are necessary and proper.\n\nObjectives         Our audit objective was to determine if improper purchases were being made\n                   using Government purchase cards or convenience checks. Also, we\n                   evaluated controls within PCMS to detect and prevent monetary losses from\n                   fraudulent, wasteful, or abusive purchase card transactions.\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                  Page 2\n\x0cFindings and Recommendations\nSection 1. Purchase Card Program Oversight\n\n\n\nFinding 1                        Additional Oversight Could Improve Purchase Card Program\n                                 Effectiveness\n\n                                 Generally, we found that the transactions reviewed were proper and that the\n                                 program met its intent of providing a cost beneficial process for procuring\n                                 goods and services within the Department. However certain program\n                                 controls could be strengthened to identify improper payments and potentially\n                                 fraudulent activities. Specifically, we found that some cardholders failed to\n                                 reconcile their transactions in PCMS, the alert system could be made more\n                                 effective, and policies governing supervisory oversight needed strengthening.\n                                 These weaknesses occurred because there were limited controls in place to\n                                 ensure that cardholders reconciled their purchases, the alert system\n                                 overwhelmed oversight personnel with excessive messages, and limited\n                                 controls existed within the system to ensure that supervisors reviewed the\n                                 appropriateness of cardholder purchases. As a result, potential improper\n                                 transactions may not be detected, and agencies are at an increased risk of\n                                 monetary losses resulting from undetected fraudulent, wasteful, or abusive\n                                 purchase card transactions.\n\n                                 Unreconciled Transactions\n\n                                 We noted that over 1,400 cardholders had not reconciled approximately\n                                 6,700 transactions totaling over $3.4 million within 30 days as required by\n                                 departmental regulations (DR). We also noted agency managers had not\n                                 suspended (deactivated) 685 cardholders\xe2\x80\x99 accounts after they had not\n                                 reconciled over 3,000 transactions totaling about $750,000 within the 60-day\n                                 time limit. 2 This occurred because agency managers did not take action to\n                                 monitor or restrict the purchasing activity of cardholders who failed to timely\n                                 reconcile their transactions. As a result, fraudulent or improper transactions\n                                 may go undetected and not disputed through the lender. Furthermore, the\n                                 cardholder\xe2\x80\x99s agency may have no recourse in resolving fraudulent or\n                                 improper transactions.\n\n                                 DR 5013-6 states that cardholders shall reconcile their accounts no longer\n                                 than 30 days after a transaction appears in PCMS, absent extenuating\n2\n  DR 5013-6, \xe2\x80\x9cUse of the Purchase Card and Convenience Check,\xe2\x80\x9d dated February 13, 2003, requires cardholders to reconcile their\naccounts no longer than 30 days after a transaction appears in PCMS, absent extenuating circumstances. Further, program coordinators\nshall deactivate the account of any cardholder who fails to reconcile transactions within 60 days after each transaction appears in PCMS.\nFurthermore, transactions cannot be disputed after 60 days.\nUSDA/OIG-11099-44-FM                                                                                                            Page 3\n\x0c                                     circumstances. Further, program coordinators shall deactivate the account of\n                                     any cardholder who fails to reconcile transactions within 60 days after each\n                                     transaction appears in PCMS.\n\n                                     The PCMS Cardholder Responsibilities Guide requires that the cardholder\n                                     contact the merchant to resolve any dispute before processing it through\n                                     PCMS. If the dispute cannot be resolved with the merchant, the cardholder\n                                     must mark the transaction as a disputed transaction in PCMS and fax the\n                                     lender notice that the transaction is in dispute. The cardholder has 60 days\n                                     from the date of a transaction to file a dispute with the lender. After the\n                                     60-day time limit, the lender is not obligated to accept any disputes of\n                                     questioned transactions. Further, the guide requires the cardholder to\n                                     reconcile transactions at least once a month in PCMS using documentation\n                                     retained from each purchase. Cardholders who frequently use their purchase\n                                     cards should increase the frequency of reconciliation in order to keep\n                                     reconciliation sessions brief and to assist agency management and finance\n                                     officials in monitoring the status of funds.\n\n                                     Alert Message System Could be Improved\n\n                                     PCMS automatically creates alert messages when a purchase meets certain\n                                     criteria such as suspicious merchant category codes (e.g., pawn shops, liquor\n                                     stores, jewelry stores, camera stores, etc.), potential split transactions,\n                                     unreconciled transactions after 30 days, and transactions on closed accounts.\n                                     However, because of the volume of alert messages, agency oversight\n                                     personnel have not been vigilant in monitoring those alerts. Agency\n                                     coordinators cited difficulty in using the system and excessive workload as\n                                     reasons for not keeping current in reading and acting on alert messages.\n\n                                     We also found that all alert messages are sent to the responsible purchase\n                                     cardholder, LAPC, and APC rather than to specific individuals identified in\n                                     the system requirements document. PCMS requirements documentation\n                                     requires that alerts for suspicious transactions should go to LAPCs and not to\n                                     responsible purchase cardholders. OPPM could not provide a reasonable\n                                     answer as to why the alert message system within PCMS did not match the\n                                     system\xe2\x80\x99s requirements. The current distribution of alert messages diminishes\n                                     the effectiveness of the internal control because cardholders are alerted when\n                                     the system identifies certain transactions intended for review by agency\n                                     oversight personnel. For example, an alert that a purchase was made from a\n                                     vendor with a suspicious merchant category code could be seen by the\n                                     cardholder that perpetrated the improper purchase. The cardholder could\n                                     conceal an improper payment by marking the alert message as \xe2\x80\x9cread.\xe2\x80\x9d3\n\n\n3\n  Because of the volume of alert messages received, oversight personnel generally ignore messages marked as \xe2\x80\x9cread\xe2\x80\x9d assuming that appropriate action had\nbeen taken.\nUSDA/OIG-11099-44-FM                                                                                                                         Page 4\n\x0c                   Lack of Supervisory Review of Transactions\n\n                   OPPM established a policy that cardholders\xe2\x80\x99 supervisors should review their\n                   employees\xe2\x80\x99 purchase card transactions on a quarterly basis. However, we\n                   noted that this policy was not enforced at the four agencies we reviewed to\n                   assure that these reviews were actually being completed. In addition, while\n                   one agency implemented a supervisory review requirement of this process, it\n                   was ineffective. The LAPC at that agency sent monthly reports of cardholder\n                   transactions to the supervisors; however, no documentation was ever returned\n                   to the LAPC from the supervisor to assure that the review was actually\n                   completed. The other three agencies did not send a list of transactions to\n                   cardholder supervisors, and the personnel had no means to assure that\n                   supervisors had actually reviewed purchase card transactions. More\n                   improper purchases could be detected or deterred if a formal supervisory\n                   program was established to review transactions on a monthly rather than\n                   quarterly basis. This would allow the agency to timely dispute charges with\n                   the lender within the 60-day timeframe.\n\nRecommendation No. 1\n\n                   OPPM should establish controls to enforce its policies to (1) reconcile\n                   transactions and address alert messages within 30 days of receipt and (2)\n                   review purchase card transactions on a monthly basis.\n\nAgency Response.   OPPM did not concur. It stated that the recommendation is misdirected.\n                   The Office of Inspector General (OIG) should direct this recommendation to\n                   the heads of agencies whose purchase card programs were reviewed during\n                   the audit. OPPM has taken a number of actions to improve the performance\n                   of APCs and LAPCs over the years, including the promulgation of an\n                   internal control blueprint in 2003. OPPM will continue to encourage\n                   agencies to improve reconciliations rates and to address alert messages.\n                   However, agencies also must be responsible for deficiencies in their\n                   purchase card programs. APCs and LAPCs work for their own agencies;\n                   they are not OPPM employees. OPPM does not propose to take the\n                   corrective action recommended.\n\nOIG Position.      We continue to believe that OPPM shares responsibility with user agencies\n                   to help ensure internal controls are in place and operating effectively. The\n                   lack of effective internal controls within PCMS is evidenced by over 1,400\n                   cardholders not reconciling approximately 6,700 transactions totaling over\n                   $3.4 million, within 30 days.\n\n                   OPPM should analyze potential systemic controls that could be implemented\n                   within the PCMS application that would prompt compliance by agency\n\nUSDA/OIG-11099-44-FM                                                                    Page 5\n\x0c                   cardholders that habitually do not reconcile and review transactions in a\n                   timely manner (e.g., suspend and/or cancel the account).\n\nRecommendation No. 2\n\n                   OPPM in coordination with OCFO should modify PCMS to (1) automatically\n                   suspend purchase cards that have unreconciled transactions greater than 60\n                   days and (2) prohibit cardholders from modifying alert messages for\n                   potentially suspicious transactions.\n\nAgency Response.   OPPM concurred with both parts of the recommendation. (1) The\n                   Procurement Policy Division prepared a change request to automatically\n                   suspend purchase cards that have unreconciled transactions greater than 60\n                   days. A change request modification document was created and submitted\n                   to OCFO Change Control Board (CCB) to address the recommendation.\n                   The change request is currently under review and analysis to determine the\n                   appropriate corrective action to satisfy the specific recommendation. The\n                   requested modification will be implemented in 2006. (2) The change request\n                   to prohibit cardholders from modifying alert messages for potentially\n                   suspicious transactions was included in PCMS Release 5.1, implemented in\n                   March 2005.\n\nOIG Position.      We concur with the management decision.\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                  Page 6\n\x0cSection 2. Purchase Card Management System Controls\n\n\n\nFinding 2                             Purchase    Card                   Management                 System              Controls   Need\n                                      Strengthening\n\n                                      OCFO and OPPM should implement additional controls to ensure the\n                                      integrity and security of the PCMS system and improve its reliability and\n                                      effectiveness in preventing potential improper payments. We found (1) users\n                                      with unrestricted and unmonitored administrative access to the PCMS\n                                      database, (2) password settings did not conform with Federal requirements,\n                                      (3) budget object classification codes were not verified, (4) transactions\n                                      posted to cancelled cards, (5) incorrect or missing cardholder data, and (6)\n                                      unverified lender rebates. OCFO was aware that many of these weaknesses\n                                      existed; however, it had not implemented corrective actions due to other\n                                      priorities. As a result, the PCMS system is at greater risk of unauthorized\n                                      access and improper purchases. Further, the Department may not be\n                                      receiving the appropriate rebate from the lender in accordance with its\n                                      contract. Details follow.\n\n                                      Access Controls to PCMS Data\n\n                                      We found that 14 users had unrestricted and unmonitored database\n                                      administrator privileges to PCMS data, access to PCMS was not documented,\n                                      passwords were not encrypted, and password settings were not configured in\n                                      accordance with departmental and Federal guidelines. As a result, PCMS\n                                      data is at risk of compromise from unauthorized access.\n\n                                      OMB established a minimum set of controls for agencies\xe2\x80\x99 automated\n                                      information security programs. 4 Agencies are required to establish controls\n                                      to assure adequate security for all information processed, transmitted, or\n                                      stored. The National Institute of Standards and Technology (NIST) further\n                                      specifies management, operational, and technical controls. 5 It illustrates the\n                                      benefits of security controls and the major techniques or approaches for each\n                                      control. Both NIST and OMB advocate implementation of the \xe2\x80\x9cleast\n                                      privilege\xe2\x80\x9d concept, granting users only the access required to perform their\n                                      duties.\n\n                                      We identified 14 users from several divisions of OCFO/National Finance\n                                      Center (NFC) that had database administrative authority over PCMS data that\n\n4\n    OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d dated November 28, 2000.\n5\n    NIST Special Publication 800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST Handbook,\xe2\x80\x9d dated October 1995.\nUSDA/OIG-11099-44-FM                                                                                                               Page 7\n\x0c                                    was not restricted to the authority needed to perform their duties as required\n                                    by NIST Special Publication 800-14, \xe2\x80\x9cGenerally Accepted Principles and\n                                    Practices for Securing Information Technology Systems.\xe2\x80\x9d Administrative\n                                    authority is the highest level of access to a database and allows those users to\n                                    add, modify, or delete data. For example, we identified three users from the\n                                    security staff that establish new user accounts. Instead of limiting their\n                                    authority to only establish user identifications, they were given full\n                                    administrative authority to the full PCMS database. In addition, there was no\n                                    tracking system to identify the activity processed by these users. Therefore,\n                                    we were unable to determine whether inappropriate actions had occurred.\n\n                                    We also found that users\xe2\x80\x99 passwords were stored in clear text and not\n                                    encrypted in the Security Access Management, contrary to NIST Special\n                                    Publication 800-14. 6 In addition, the PCMS application did not force users to\n                                    change their initial password as required by Department Manual 3140-001,\n                                    \xe2\x80\x9cManagement ADP Security Manual.\xe2\x80\x9d OCFO was aware of these password\n                                    control weaknesses but could not explain why the system had been designed\n                                    with these weaknesses, or when they would be corrected.\n\n                                    Budget Object Classification Code\n\n                                    PCMS does not contain a provision to allow for the appropriate budget object\n                                    classification code (BOCC) to be entered. This code is critical within the\n                                    Department\xe2\x80\x99s accounting applications to ensure that tax forms required by the\n                                    Internal Revenue Service are properly prepared and sent to vendors. PCMS\n                                    was designed to enter a default BOCC regardless of the type of purchase.\n                                    Cardholders are subsequently responsible for changing it, if necessary.\n                                    OCFO was aware of the problem and has requested a change through its\n                                    application change control board; however, at the time of our review, the\n                                    change had not been approved.\n\n                                    Charges Occurred on Cancelled Cards\n\n                                    There was no internal control to prevent a cardholder (whether a current or\n                                    separated employee) from making charges on an account after the account\n                                    had been cancelled. PCMS does not perform an edit check to determine if a\n                                    transaction transferred from the lender is associated with a deactivated card.\n                                    The lender stated that it is standard industry practice to honor certain\n                                    recurring charges despite the card being cancelled. The lender also stated\n                                    that it is the cardholder\xe2\x80\x99s or APC\xe2\x80\x99s responsibility to make alternate financial\n                                    arrangements for recurring transactions associated with a cancelled card.\n\n\n\n6\n    SAMS is an IBM system used to access PCMS.\nUSDA/OIG-11099-44-FM                                                                                         Page 8\n\x0c                   Cards Not Cancelled After Cardholder Separated\n\n                   Purchase cards were not cancelled in a timely manner after the cardholder\n                   separated from the agency. OCFO/NFC removed separated employees\xe2\x80\x99\n                   access to the PCMS application on a monthly basis, but no prescribed\n                   controls were in place to ensure that those employees\xe2\x80\x99 purchase cards were\n                   cancelled. As a result, ex-employees could potentially continue to make\n                   purchases on the credit card.\n\n                   OCFO/NFC systems security staff informed us that they run a report once a\n                   month that compares the social security numbers (SSN) of purchase\n                   cardholders with the Department\xe2\x80\x99s employee database. The security staff\n                   uses this report to identify PCMS users who had left the Department and no\n                   longer needed access to PCMS. However, the security staff does not cancel\n                   the purchase card, rather, per DR 5013-6, LAPC\xe2\x80\x99s are required to cancel\n                   cards. We found that no control provision had been set forth to assure this\n                   action is taken in a timely manner. PCMS could be modified to direct the\n                   lender to cancel a card at the same time OCFO/NFC cancels the PCMS\n                   system access.\n\n                   Invalid Social Security Numbers\n\n                   We identified 126 cardholders whose SSNs in PCMS were invalid or\n                   associated with an incorrect individual. This occurred because PCMS was\n                   not programmed with a routine to ensure that only valid SSNs were entered\n                   into the system for each cardholder. As a result, there is an increased risk\n                   that unauthorized personnel may obtain and use purchase cards.\n\n                   We also performed a comparison of SSNs between PCMS and the\n                   Department\xe2\x80\x99s personnel system to determine whether all cardholders were\n                   current employees of USDA. Our analysis for the four agencies identified\n                   SSNs that were in PCMS but not in the personnel system. This occurred\n                   because the PCMS cardholder table was not validated against the\n                   Department\xe2\x80\x99s personnel database. Ultimately, we were able to find the\n                   correct SSNs by performing a name and agency search on the personnel\n                   database.\n\n                   The PCMS lead developer informed us that a change request was approved to\n                   have every SSN in the PCMS cardholder table validated against the\n                   Department\xe2\x80\x99s personnel database. Further, newly established purchase card\n                   users would have to be validated against the Department\xe2\x80\x99s personnel database\n                   before a card would be issued.\n\nUSDA/OIG-11099-44-FM                                                                    Page 9\n\x0c                   Lack of Rebate Calculation\n\n                   The Department earns a rebate from the lender based on the volume of\n                   purchase card transactions and payments made. In fiscal year 2003, the\n                   lender paid the Department over $4.4 million in rebates related to purchase\n                   card transactions. We found that OCFO ensured that the rebate planned by\n                   the lender was actually received, but it had not independently verified that the\n                   lender calculated the rebate accurately. At one time, PCMS lacked sufficient\n                   data to determine the payments; therefore, an independent calculation of the\n                   estimated rebate was not possible. However, the current version of PCMS\n                   now contains the necessary fields to validate the rebate estimate. To ensure\n                   the Department receives its rightful rebate, PCMS should be updated to\n                   calculate and verify that the appropriate rebate was received from the lender.\n\nRecommendation No. 3\n\n                   OCFO should validate whether full database administrator access is needed\n                   for all 14 users we identified to perform their job functions. Remove or\n                   restrict access as needed and establish procedures and controls limiting\n                   future designation.\n\nAgency Response.   OCFO/National Finance Center\xe2\x80\x99s, Information Resources Management\n                   Division (IRMD) performed an analysis and review of the 14 users\n                   identified in the audit having database administrative authority over PCMS\n                   data. The goal to validate needed database authority over PCMS data\n                   resulted in the establishment of access to only those employees who require\n                   the access to perform their regular duties. Of the 14 users identified, actions\n                   were taken to remove access for a duplicate user identification as requested\n                   by the Data Base Management Branch, NFC, and three were reclassified into\n                   unique roles for Security Administration limiting their authority to establish\n                   and update. The access of the remaining nine users was required in order to\n                   perform their regular job duties.\n\n                   The OCFO/NFC\xe2\x80\x99s Information System Security Office (ISSO) is currently\n                   designing and implementing reports using a new logging tool implemented\n                   to log and monitor all Web and Unix servers attached to the NFC network.\n                   Currently, daily Oracle reports are generated listing users with Data Base\n                   Administrator authority and the status (successful only) of approximately 18\n                   Oracle commands. Additional reports are planned to include more activities\n                   like administrator activity, violations, inactive accounts, etc.\n\n                   NFC role owners and ISSO are working together to implement role-based\n                   access and produce reports for management review of access and roles of\n                   their staff. Role based access and monitoring has been established for\n                   IRMD employees. Associate Chief Financial Officer-Financial Systems\nUSDA/OIG-11099-44-FM                                                                      Page 10\n\x0c                   (ACFO-FS) and ISSO will work together to implement role based security\n                   control monitoring for other OCFO employees by September 30, 2006.\n\n                   Access privileges were reviewed, corrected and finalized in May 2005.\n                   ISSO\xe2\x80\x99s plan for role base security control monitoring and reporting on\n                   implementation for ACFO-FS is scheduled for September 30, 2006.\n\nOIG Position.      We concur with the management decision.\n\nRecommendation No. 4\n\n                   OCFO should modify the PCMS application and SAMS, as appropriate, to\n                   ensure that user password controls conform to departmental and Federal\n                   guidelines.\n\nAgency Response.   The report states that user passwords are stored in clear text and\n                   unencrypted. This is untrue. The PCMS database is built on Oracle. Oracle\n                   password controls conform to departmental and Federal guidelines through\n                   encryption with a one-way hash algorithm before they are stored in the\n                   database. Other terms for this are message digest, digital signature, one-way\n                   encryption, digital fingerprint, or cryptographic hash. Oracle uses a Data\n                   Encryption Standard algorithm on passwords. What is stored is a hash or\n                   digested value and it is NOT reversible. It appears to be a string of\n                   hexadecimal characters and has a fixed length. If someone obtains this\n                   string or digest, they are unable to determine the password.\n\n                   The PCMS application did not force users to change their initial password as\n                   required by Departmental Manual 3140-1. A change request is being created\n                   that addresses the PCMS access/sign-on process that will force users to\n                   change their initial password. Following the appropriate research and\n                   analysis on the change request, implementation of the requirement will be\n                   scheduled for release in FY 2006.\n\nOIG Position.      We agree that Oracle does not store passwords in clear text or unencrypted.\n                   However, PCMS passwords are stored in clear text in SAMS which is an\n                   IBM system used to access the Oracle based PCMS. As such, SAMS should\n                   be modified to encrypt passwords.\n\nRecommendation No. 5\n\n                   OPPM in coordination with OCFO should establish controls to require users\n                   to validate the accuracy of the BOCC for each transaction.\n\nAgency Response.   OPPM concurred in part. It indicated that there is no way to edit a BOCC\n                   during reconciliation to ensure that the BOCC accurately describes the\nUSDA/OIG-11099-44-FM                                                                    Page 11\n\x0c                   product or service purchased. A change request was approved by the CCB\n                   and is currently under development. However, the statistical sampling\n                   feature in the alert function already allows LAPCs to review data reported\n                   for a transaction, including the BOCC reported by the cardholder. We\n                   understand OIG\xe2\x80\x99s concern about the present system\xe2\x80\x99s autofilling a default\n                   BOCC that the cardholder need not verify or change prior to\n                   approving/reconciling a transaction. Autofilling the BOCC field is required\n                   for system functionality. A change request to use a crosswalk between\n                   merchant category code and BOCC has been approved by the CCB, and\n                   work on development of the crosswalk has commenced. The crosswalk will\n                   autofill the BOCC field with a BOCC corresponding to the merchant\n                   category code reported by the bank. While this is not a total cure, it will\n                   substantially increase the accuracy of BOCCs reported in PCMS. No release\n                   date has been determined for this change.\n\n                   OCFO and OPPM will include crosswalk functionality in the PCMS update,\n                   to be released by December 31, 2006.\n\nOIG Position.      We concur with the proposed corrective actions; however, the estimated\n                   completion date of December 31, 2006 is beyond the 1 year timeframe\n                   required by Departmental Regulation (DR) 1720-1. In order to achieve\n                   management decision, please provide detailed, time phased interim\n                   completion dates.\n\nRecommendation No. 6\n\n                   OPPM in coordination with OCFO should modify the PCMS to (1) reject\n                   transactions from the lender associated with cards that have been cancelled,\n                   (2) establish an edit to check the validity of cardholder\xe2\x80\x99s SSN, (3) direct the\n                   lender to cancel a card at the same time that PCMS drops a cardholder\xe2\x80\x99s\n                   system access, and (4) independently calculate and verify that the\n                   appropriate rebate was received.\n\nAgency Response.   OPPM\xe2\x80\x99s position on each numbered part of Recommendation 6 is as\n                   follows:\n\n                       1. OPPM generally concurred that transactions against cancelled accounts\n                          should be declined by the lender or disputed by USDA if not declined.\n                          OPPM has an alert message in PCMS to notify LAPCs of transactions\n                          posted against cancelled accounts. OPPM and OCFO are modifying\n                          PCMS to automatically notify the bank when a cardholder separates\n                          from USDA. However, a certain period of time after separation must\n                          be allowed for trailing transactions; i.e., transactions made before a\n                          cardholder separates, but not posted until after the cardholder leaves\n                          USDA. Finally, the lender may not decline recurring transactions such\nUSDA/OIG-11099-44-FM                                                                     Page 12\n\x0c                          as renewals of magazine subscriptions. Rules governing credit card\n                          accounts stipulate that the subscriber must take some action to cancel\n                          the account or transaction to be honored.\n\n                       2. OPPM concurred. OPPM and OCFO are working on validation of\n                          cardholder SSNs. The first phase will be review and validation of all\n                          SSNs reported for current cardholders. The second phase will be to\n                          install a SSN edit check for all new cardholder accounts. PCMS\n                          version 6.1, to be released in 2006, will validate an employee\xe2\x80\x99s SSN\n                          against the employee database whenever an account is created or\n                          modified.\n\n                       3. OPPM concurred. OPPM and OCFO are modifying PCMS to notify\n                          the bank automatically when a cardholder separates from USDA. A\n                          change request approved for PCMS version 5.2, will automate a\n                          cancellation request when a cardholder user identification is dropped\n                          from PCMS.\n\n                       4. OPPM concurred. An emergency change request was approved to\n                          calculate the refunds independently for comparison against the actual\n                          refund that is received from the lender. OPPM is discussing methods\n                          of rebate verification with OCFO and requirements are being\n                          developed.\n\n                   OPPM anticipates that all modifications to PCMS will be completed by the\n                   2006 release of PCMS version 6.2.\n\nOIG Position.      We concur with the proposed corrective actions; however, the estimated\n                   completion date of 2006 is not specific and must be within the 1 year\n                   timeframe required by DR 1720-1. In order to achieve management\n                   decision, a specific completion date must be provided and if the date is\n                   beyond the 1 year requirement, please provide detailed, time phased interim\n                   completion dates.\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                    Page 13\n\x0cScope and Methodology\n                   We performed our audit at the OCFO/NFC, located in New Orleans,\n                   Louisiana and at OPPM, and agency offices in Washington D.C. We selected\n                   transactions for the following four agencies based on the volume of activity:\n\n                       \xe2\x80\xa2   The Animal and Plant Health Inspection Service,\n                       \xe2\x80\xa2   Natural Resources Conservation Service,\n                       \xe2\x80\xa2   Agricultural Research Service,\n                       \xe2\x80\xa2   and the Food Safety and Inspection Service.\n\n                   We conducted our review from December 2003 through September 2004.\n\n                   To accomplish our objectives, we performed the following:\n\n                       \xe2\x80\xa2   Interviewed the agencies APCs to discuss their duties with the\n                           Purchase Card Program, oversight procedures, and questionable\n                           transactions.\n\n                       \xe2\x80\xa2   Reviewed OPPM and OCFO procedures and policies, and ongoing\n                           efforts designed to minimize and uncover improper purchase card\n                           transactions.\n\n                       \xe2\x80\xa2   Obtained relevant policy guidance documentation relating to the\n                           governance of the use of purchase cards (including the U.S.\n                           Government Accountability Office, Department, and OMB).\n\n                       \xe2\x80\xa2   Analyzed PCMS transactions and PCMS alert messages.\n\n                       \xe2\x80\xa2   Conducted various computer analyses of purchase card transaction\n                           activities within the PCMS database using commercially available\n                           analytical software to identify potential improper payments.\n\n                       \xe2\x80\xa2   Obtained supporting documentation for transactions, and evaluated\n                           the information provided for compliance with purchase card\n                           requirements.\n\n                       We conducted this audit in accordance with \xe2\x80\x9cGovernment Auditing\n                       Standards.\xe2\x80\x9d\n\n\n\n\nUSDA/OIG-11099-44-FM                                                                    Page 14\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 1 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 15\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 2 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 16\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 3 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 17\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 4 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 18\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 5 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 19\n\x0cExhibit A \xe2\x80\x93 Agency Response to the Draft Report\n                                                  Exhibit A \xe2\x80\x93 Page 6 of 6\n\n\n\n\nUSDA/OIG-11099-44-FM                                           Page 20\n\x0c'